Users & Roles

An overview of managing users and role-based access control in env0

Create users in env0

When a new user logs into the env0 for the first time, either by starting a trial or accepting an invitation to join an existing Organization, a user profile is created. Profile details are taken from the account in Google, Github, BitBucket or Microsoft that was used to log in. Users are identified by their email address.



env0 support managing your organization users using SAML for all our paid tiers, see our pricing for more details.

A user belongs to one or more Organizations.

When a user profile is created, a Default Organization is created for that user. The user is an administrator for this organization. This organization can be used for evaluation and testing by the user.

Users can accept invitations to join other organizations, and become members of them as well.

Manage Users of an Organizations

Organization Administrator users in an organization can manage users for the organization.
To manage the organization's users, select the Users screen in the Settings tab (this tab is only accessible to Organization Administrator users).



If an Active Project is selected, the Users screen refers to the project users, not the Organization.

The Organization Administrator can change user organization roles, remove users from the organization, or invite new users.

Users cannot remove themselves from an organization, or change their organization role.

Invite Users to an Organization

Any Organization Administrators can invite other users to join their organization.

Click Invite User, enter a valid email address for the invited user, and then click Send Invitation.

A user can be invited to an organization whether or not they have an active env0 profile. A user is created in env0 for the invitee (if they are not already a user). The invitation email is sent to the user at their email address and the user status is set to Invited.

If the user is new to env0, a user profile is created when they log in for the first time.

The admin can track the user status in the Users screen, and see when the user has accepted the invitation and joined the organization.

At any time, Organization Administrators can revoke an invitation to a user. Click on the garbage can icon next to the user in the Users tab. Once revoked, the user disappears from the list and they can no longer accept the invitation.

Organization Roles

env0 has two roles in the Organization scope:

A User has no configuration privileges in the Organization scope. They cannot create or edit templates, variables or policies, git tokens, or any other configuration at the Organization level, and cannot view the organization settings (such as users or API Keys).

A User can be associated with any Project in the organization, with any role. They work in the projects with which they are associated.

An Organization Administrator is the superuser of the system. They have full configuration privileges to all items in the Organization scope, including variables, templates, policies, tokens, and any other configuration.

They also have full access to the organization settings, including inviting and removing users, and generating API keys.

In addition, an organization administrator is associated with all projects in the Organization, and has a Project Administrator role in each one of them. No user can change the association or role of the Organization Administrator.

Manage Users of a Project

In order to have access to a project, users need to be associated with it.
Each user associated with a project has a specific project Role assigned to them.

Managing access to a project can be done in 2 ways:

  1. Managing a team's access to a project:
    If a user is a member of a team that is assigned to the project, the team's role will cascade onto the user. See Teams Section for more information

  2. Manage a user's access directly:
    A user can also be given a specific role in a project outside of a team. This can be used to give a user additional permissions that he does not have from his team's role, or when the user is not part of any team. Managing users this way requires the Administrator role for that project.
    Go to "Project Settings" and then select the Users tab. There you'll see a list of all the organization users. Select users from this list to assign to this project, and, for each, set a role within the specific project.

If the user has multiple roles that originate from his teams or from his own specific role for the project, the highest role will be the one to take effect.

Project Roles

A regular user cannot change their role within a project, or disassociate themselves from a project. They also cannot change the role of any other user with an Organization Admin role.
An Organization Admin is associated with all projects, with an administrator role.

env0 has these roles in Projects scope:

A Viewer can only look at the environments in the projects and see their status.

  • They have no permissions to create, destroy or change environments.
  • They do not have any access to view or change project settings.

A Planner has similar privileges to a Deployer in that they can create, change, or destroy environments, but they cannot automatically approve their plans.

  • Their actions require an active approval from a Deployer to be executed.

A Deployer can create, change or destroy environments that belong to them.

  • They can automatically approve their plans, so they can be executed immediately without further approval.
  • Can also approve plans created by the actions of other users.
  • Cannot view or change project settings.

Has full configuration privileges within a given Project.

  • Can create new environments, and view and change all environments by all users.
  • Can automatically approve their plans, so they can be executed immediately without further approval.
  • Can also approve plans created by the actions of other users.
  • Can change project settings, including the associating users and templates to the project, and assign user roles.

Did this page help you?